syslog: not logging for remote host

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de> Date: Wed, 13 Jul 2016 09:53:43 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC

I have some serious trouble logging for remote hosts via syslog on a sepcific
central server.

Following manpages syslogd(8) and syslog.conf(5), the syslogd is allowed to
listen on a specific address (-b option) and receiving syslog messages from
remote client hosts on a specific network (-a option). Our configuration of
syslogd looks like (rc.conf):

syslogd_flags="-8 -n -v -4 -C -b 192.168.0.2:514 -a 192.168.0.1/24:*"

and sockstat show a proper listening port:

[...]
root     syslogd    75823 6  udp4   192.168.0.2:514   *:*

Now the strange or weird part (in my opinion).

We have several firewalls, gateways, APs and printers which are configured to
send syslog messages to a remote host, designated by the IP shown above. This
works, I can see syslogd receiving messages from several systems
via /var/log/messages (at the moment everything is also dumped into that file
as well as onto console, on which the messages from the remote devices also
appear as expected.

In /etc/syslog.conf I try to use the fowllowing line, for instance for one
device as pars pro totum, to log to a dedicated file:

[...]
+192.168.0.100
*.*			/var/log/printer-01.log
+192.168.0.101
*.*			/var/log/printer-02.log
!*
(EOF)

All log definitions for remote host logging are put to the end of file
syslog.conf to avoid problems with the block boundaries. So the above shown
config should separate each different host in a defined way as the manpage
syslog.conf(5) states. 

Using IPs only seems not to work (and I can not understand, according to
syslogd(8) and option -a ipaddr/msklen:port). I never get a delegation of
log messages into the specified file.

So, syslog.conf(5) states that I have to use "names". So I also
setup /etc/hosts to have each remote host's IP assigned with a hostname (we
have no domain/DNS in this specific network, IP only!). So I tried then

[...]
+printer-01
*.*			/var/log/printer-01.log
+printer02
*.*			/var/log/printer-02.log
!*
(EOF)

This doesn't work either!

Something is very fishy with FreeBSD's syslogd and please let me know what I'm
doing wrong here.

I also read the section in the handbook about remote syslog and the requirement
of a forward and reverse DNS resolution - which is NOT(!) mentioned in the
manpages (and I follow the opinion that in doubt, the manpage is right!).

Can someone shed a bit light on that (no, I do not want to use a ports
package/alternative syslog, I'd like to use FreeBSD's tools already abord).

Thank you very much in advance and apologizes to those who feel bothered by a
possible stupid question!

regards,

O. Hartmann